The TEXACO Online Employment System wish to inform you that your posted information onlinehas been carefully and confidentially reviewed by our Recruitment Team Professionals and we have considered under our current vacant opportunities within the Firm to employ you for work in our company.

TEXACO Online Employment System is affiliated to various job recruitment websites and your information was submitted to us by our online agent that submit job candidate resumes for consideration of employment depending on the vacancies we have in any branch of TEXACO Company Worldwide.

As regards to this, you have been automatically granted this employment to work in TEXACO Oil & Gas Field with a monthly salary of Eight Thousand Five Hundred Pounds (£8,500).

Kindly acknowledge the content of this message by reconfirming your interestin working for us and indicating your area of job interest, ensuring that you have quoted your vacancy title below or send your CV with a covering letter.

Do note the suspicious contact information like texaco@post.com and http://texaco.us.ms. Top-level domain .ms belongs to a small Caribbean nation called Montserrat.

The website at texaco.us.ms looks like this:

Don't apply… although the salary looks good and you get to name your own area of job interest, I'm sure your job would include picking up cash and wiring it to far-away places with Webmoney, Western Union and Fethard Finance.

Information leakage is a real problem. It's especially bad for high-security organizations, like military agencies.

And it's now harder than ever, thanks to services such as Flickr, Photobucket, Facebook, Twitter and Myspace.

So, we worked together with Lewis Communications to submit a Freedom Of Information Act request to Ministry of Defence in UK, asking if they've had problems with this.

After waiting some weeks, we got a reply back, detailing that UK military personnel and Ministry of Defence staff have leaked secret information 16 times on social networking websites and Internet forums.

People might think they are confiding in friends or family when they go on Facebook, for example, but in fact they might be making information available to everybody. Such mistakes can happen especially now that Facebook has been modifying their privacy settings.

I gave myself a trial period of couple of months, until the end of 2009 to decide if Twitter is useful or not. And if I wouldn't find it useful, I would quit using it.

During these months I've learned that Twitter is quite different from the other social networks. It is actually quite useful as a professional tool.

Many don't really understand what Twitter is all about. They think it's a system where people can tell others about their daily chores ("just had corn flakes for breakfast!"). This is not what Twitter is for.

Twitter is at its best when experts in their own field share notes, links and pointers to important developments they see.

In the field of data security, that would be a note about a new vulnerability. A major outbreak. Phishing run. Or something else.

And today, the place where you would hear about it first would be Twitter. Not the news. Not the blogs. Twitter.

I myself have now reached 5000 followerson Twitter (thanks!) and plan on continuing.

And the neat thing about Twitter is that you don't need to even sign up. It's all public.

Before Twitter, when something major would be going on, the first warnings and initial discussion about it would be in private – via e-mail, private mailing lists and text messages. Now much of that would happen in Twitter – in public. And you wouldn't even need to have a Twitter account to follow it.

As an example. Let's say that a major website like TechCrunch would get hacked, Just by searching for "techcrunch hacked" in Twitter you would be able to see the very first warnings, read what's the buzz and get the first expert opinions.

And the best part: Twitter is full of interesting figures from the field of computer security.

The book covers in detail several interesting real-world stories on computer criminals. For example, it covers the history of online crime sites like Carderplanet, Shadowcrew and DarkMarket. It talks about the credit card thefts of Albert Gonzales. It even talks about Ghostnet and some of the targeted attacks that have now been in headlines.

And there's a very detailed rundown on what happened with the so-called Balakov Trio which we have mentioned in our blog before.

In the middle of all the attention to the "Operation Aurora" attacks, we're now seeing new targeted attacks that are using this very event as the lure to get the targets to open a malicious attachment!

Here's the e-mail we saw (the mail was forged to look like it came from gwu.edu):

Attached is a short piece I just wrote for the Far Eastern Economic Review about Chinese cyberattack. I hope you find it interesting.

If you have any good idea / comments, are warmly welcome to feedback.

Best,

David Attachment: Chinese cyberattack.pdf

The attachment Chinese cyberattack.pdf (md5: 238ecf8c0aee8bfd216cf3cad5d82448) is a PDF file which exploits the CVE-2009-4324 vulnerability in Adobe Reader (again, this is the one which was patched last week).

The exploit drops and runs a backdoor called Acrobat.exe (md5: 72170fc42ae1ca8a838843a55e293435). We detect this as W32/PoisonIvy.NQ. The PDF is detected as Trojan.Script.256073.

When opened, the PDF file (md5: c3079303562d4672d6c3810f91235d9b) looked like this:

What really happens in the background? Just like last time, the exploit code drops a backdoor in a file called Updater.exe (md5: 02420bb8fd8258f8afd4e01029b7a2b0).

Now, what is the document talking about? President's day? DNI Information Sharing Environment? We don't know, but a quick web search tells us that apparently there is going to be an Intelligence fair & expo in Germany next month.

Hmm. The Agenda looks awfully familiar.

We detect the files as Exploit.PDF-JS.Gen and Trojan-Spy:W32/Agent.NBZ.

F-Secure Labs has learned of another interesting targeted attack. In this case, malicious PDF files were e-mailed to US defense contractors. While the "Aurora" attacks against Google and others happened in December 2009, this happened just last week.

The PDF file was quite convincing and it looked like it came from the Department of Defense:

PDF file md5 hash: c144581973fe16a6adca09e0d630bf63

The document talks about a real conference to be held in Las Vegas in March.

When opened to Adobe Reader, the file exploited the CVE-2009-4324 vulnerability. This is the doc.media.newPlayer vulnerability that Adobe patched last Tuesday.

The exploit dropped a file called Updater.exe (md5: 3677fc94bc0dd89138b04a5a7a0cf2e0). This is a backdoor that connects to IP address 140.136.148.42. In order to avoid detection, it bypasses the local web proxy when doing this connection.

Anybody who controls that IP will gain access to the infected computer and the company network. This particular IP is located in Taiwan.

Microsoft recently announced a new vulnerability in certain versions of its Internet Explorer web browser. If exploited, the vulnerability (CVE 2010-0249) can allow remote code execution.

Announcement of this vulnerability follows on the heels of last week's targeted zero-day attacks against a number of companies.

Since we are talking about a targeted attack, many companies and organizations have contacted us asking about solutions for attacks like this. We're happy to report that F-Secure Internet Security blocked this exploit proactively. This is made possible by the Exploit Shield element in our Browsing Protection feature.

So far we've only seen a handful of samples that exploit this vulnerability. To protect users with older versions of our products and to add gateway detection, we have added specific detection for the known samples as well. We detect the exploit code as Exploit:JS/Agent.MZF, while the payload is detected as Exploit:JS/Comele.A.

Below is a quick video showing the Exploit Shield feature in action. It isn't narrated, but the whole thing is pretty straightforward.

Not all antivirus solutions are equal. Our Exploit Shield was able to block "Operation Aurora" attacks before they were made.

Yesterday in Blackfriars Crown Court in London, Mr. Renu Subramaniam aka JiLsi pleaded guilty to "conspiracy to defraud" and to five counts of "furnishing false information". Judge John Hillen warned it was "inevitable" he faced a "substantial sentence".

This is the last development in the Darkmarket Sting Operation, where FBI hero Special Agent Keith Mularski worked undercover for two years, operating a message forum for online criminals, posing as one of them. The operation ended last fall with 60 arrests around the world.

The most famous arrest to come out of this sting operation was the arrest of Çağatay Evyapan in Turkey. Mr. Evyapan, known online as "cha0" was arrested in a raid by a special unit of the Turkish police.

JiLsi was one of the co-administrators of Darkmarket with agent Mularski and had no idea he was working with a "fed".

Absolute privacy on Facebook (and the Internet) is an illusion, it doesn't really exist. Relative privacy is the best that we can hope for.

Should we panic about this?

No.

There's is a very simple solution. If you absolutely don't want to share it, then don't upload it to a SOCIAL networking site.

And fortunately, most of the people that we've surveyed, appear to have enough common sense to understand the costs and benefits of sharing.

P.S. It would, however, be nice if Facebook users could disable the share with anyone option.

We haven't seen it in the wild, but it would be rather trivial for a worm such as Koobface to collect such URLs when an account is compromised. Recovering the account and resetting the password won't invalidate access to these links.

A day after the disaster that struck the Caribbean nation of Haiti, Rogue perpetrators have once again been busy with their SEO poisoning schemes. Searching for terms related to this earthquake leads to a website that installs a Rogue into the system.

It happens when an unsuspecting user searches for Haiti Earthquake details.

Over the few last years, we've worked with dozens of companies who have been hit with targeted attacks, ie. espionage trojans. Not a single one of these companies went public with the information.

Amazingly, Google has now done just that. They've announced they were hit with a targeted trojan. The aim of the attack was to gain access to Gmail accounts of Chinese human right activists. Google also goes on to directly blame the Chinese Government for the attack, and announce that as a result, they plan to stop censoring google.cn search results. Wow.

We believe the attack was launched via a convincing e-mail with an exploit-ridden PDF attachment. Updated to add: We were wrong, the attack was done with an IE 0-day attack instead.

Adobe has yesterday released security updates for Adobe Reader, closing several vulnerabilities.

Amazingly, at the same time Adobe has also announced that they were hit by a targeted attack as well. Maybe somebody was trying to gain access to their development systems in order to find out new vulnerabilities for future attacks?

We have warned about attacks like this several times.

To get a better idea of how these attacks work, here's a YouTube video we have created about Targeted Attacks:

And here's another video that shows a screen capture of what it actually looks like when you open a booby-trapped PDF file.

Google's Android mobile operating system has been out for a while and is generating more and more interest.

Now there has been some buzz about fraudulent applications being posted on the Android Market. See these postings:

Both of these apps were written by an anonymous developer known as 09Droid.

In fact, he had a whole collection of online banking applications for sale on the Market:

(image courtesy of Brandon McGee)

These applications were being sold, but it's still unclear what exactly they did. We haven't been able to secure a copy for ourselves yet, so we don't know either.

Since the applications were not developed or authorized by the banks themselves, they could not do real online banking from the Android device. Apparently they only opened the web interface of the online bank for the user. On the other hand, they could have stolen user credentials.

We can't ask these questions from Mr. 09Droid himself either, as he is nowhere to be found. His applications have been removed from the market, and his contact information points to an empty Blogspot page.

In the meanwhile, many of the affected banks have been assuming the worst and have issued public warnings to their customers. Here's an example warning from Bayport Credit Union:

In any case, we recommend users to remove applications from 09Droid from their Android devices.

Updated to add: Developer 09Droid had at least the following applications for sale in Android Marketplace. They have all been removed.

We haven't seen ransomware for a while, so a recent scheme that mixed elements of modern rogueware pushing and old-school ransomware attempts was rather interesting.

The preliminary work is done by a program we detect as Trojan:W32/DatCrypt, which makes it look as if certain files — mostly Microsoft Office documents, video, music and image files — on the infected system had been "corrupted":

Actually, the files have been encrypted by DatCrypt.

Next, the trojan advises the user to download and execute the "recommended file repair software":

If the utility is downloaded and executed, the luckless user finds that it can "only repair one file in unregistered version":

To repair — or more accurately, decrypt — anything more, the user has to buy the product.

Think about this from the users point of view. "Oh my god I've lost my important files!" "Thank god I found this great product that recovered them perfectly for just $89.95" "I'm going to recommend Data Doctor to all my friends". Effectively, user is forced to pay a ransom for his own files and the user doesn't even realize he's paying a ransom.

This scheme works on the assumption that the user wants the affected files badly enough to be willing to pay to recover them — and that the user hasn't prudently saved copies of these files elsewhere. The attack would probably lose its bite if the user could just say, "oh well…", delete the "corrupted" files and retrieved the backups.

So this would be a good time to remind everyone to backup their important files regularly, either onto removable media like CDs, DVDs or USB thumb drives, or online resources such as our Online Backup.

Because having to pay someone to get back a copy of your homework, or tomorrow's presentation, or your mom's favorite recipe, is just… annoying.

Many thanks to Adam Thomas from Sunbelt for providing samples of the dropper, and Chang for the initial analysis.

We have good news: this spring is no exception! We're going to cover topics from reverse engineering to antivirus engine internals, including homework puzzles that will make the students test their skills with actual tools of the trade like IDA Pro and Ollydbg.

Now although we won't give out actual malware samples to the students, we try to cover a lot of real cases on the lectures. Something that hasn't changed over the years is the habit of malware authors leaving secret messages in their creations. As I was going through samples to show, I picked out a few examples. Here's a boot sector infected by Brain, the first PC virus from 1986:

And here's a rootkit driver seen in the wild during the Christmas holidays of 2009, trying to make the message a bit less easy to spot:

We'll touch on both cases during the lectures.

If you're not a student at the university, you can view the course material from the course page, where we'll post new material as the course progresses.